teslacrypt | 92b375015b3867f10a9cd94b6474986bf24c70e2d40b3280ceeec2331265be23

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_1e1def42d14365acdde0fab027ab4f73.exe
Size

352KB
MD5

1e1def42d14365acdde0fab027ab4f73
SHA1

076c52faa6c76610fca15b8533e81bf8ba8133a8
SHA256

92b375015b3867f10a9cd94b6474986bf24c70e2d40b3280ceeec2331265be23
SHA512

c93298bc25a818114018cb51a3b0e4c3137b46633dabb6a17303f12473e58d64e19c39c14f307c0df9e0e4202171d2ab22eaef2bf3f7b35e5b9b7a114eb7d722
SSDEEP

6144:5Meb/EDtpBx1aRXJub19pf3gOURaJmf+ubexB3wLaYZSzvF:5Tb/wtN1aRXJg1f3gO9Jm+u2BgeYkzv

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+cusro.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4CE3714A1E7491C7 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4CE3714A1E7491C7 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/4CE3714A1E7491C7 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/4CE3714A1E7491C7 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4CE3714A1E7491C7 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4CE3714A1E7491C7 http://yyre45dbvn2nhbefbmh.begumvelic.at/4CE3714A1E7491C7 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/4CE3714A1E7491C7

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4CE3714A1E7491C7

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4CE3714A1E7491C7

http://yyre45dbvn2nhbefbmh.begumvelic.at/4CE3714A1E7491C7

http://xlowfznrg4wf7dli.ONION/4CE3714A1E7491C7

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (880) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	vxvvtaooidlk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	VirusShare_1e1def42d14365acdde0fab027ab4f73.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+cusro.png	vxvvtaooidlk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+cusro.txt	vxvvtaooidlk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+cusro.html	vxvvtaooidlk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+cusro.png	vxvvtaooidlk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+cusro.txt	vxvvtaooidlk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+cusro.html	vxvvtaooidlk.exe

Executes dropped EXE 1 IoCs

pid	Process
4080	vxvvtaooidlk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nwlfayt = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\vxvvtaooidlk.exe"	vxvvtaooidlk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_ReCoVeRy_+cusro.html	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_ReCoVeRy_+cusro.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\View3d\_ReCoVeRy_+cusro.html	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\_ReCoVeRy_+cusro.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\_ReCoVeRy_+cusro.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\_ReCoVeRy_+cusro.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarBadge.scale-400.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_contrast-white.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+cusro.txt	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosLargeTile.scale-100.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sq-AL\_ReCoVeRy_+cusro.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionSmallTile.scale-125.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-125_contrast-black.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PaySquare44x44Logo.scale-200.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-32_contrast-black.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\_ReCoVeRy_+cusro.html	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+cusro.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-125.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-100.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\Windows Sidebar\_ReCoVeRy_+cusro.txt	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\_ReCoVeRy_+cusro.txt	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\notifications_emptystate_v3.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\_ReCoVeRy_+cusro.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-lightunplated.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\_ReCoVeRy_+cusro.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\logo.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SplashScreen.scale-200.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\_ReCoVeRy_+cusro.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\_ReCoVeRy_+cusro.html	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\_ReCoVeRy_+cusro.txt	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+cusro.html	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail.scale-200.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-125_contrast-black.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Moonlight.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Diagram.jpg	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+cusro.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-32_contrast-white.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-200.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_ReCoVeRy_+cusro.txt	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\_ReCoVeRy_+cusro.html	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-100_contrast-white.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+cusro.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\_ReCoVeRy_+cusro.html	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\_ReCoVeRy_+cusro.txt	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-150.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-96_altform-unplated.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp2.scale-200.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Doughboy.scale-125.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\_ReCoVeRy_+cusro.txt	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageMedTile.scale-100.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\Fonts\_ReCoVeRy_+cusro.html	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_ReCoVeRy_+cusro.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-125_contrast-white.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\ColorPalette.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Fonts\_ReCoVeRy_+cusro.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\WideTile.scale-200.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-32.png	vxvvtaooidlk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\_ReCoVeRy_+cusro.png	vxvvtaooidlk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\vxvvtaooidlk.exe	VirusShare_1e1def42d14365acdde0fab027ab4f73.exe
File created	C:\Windows\vxvvtaooidlk.exe	VirusShare_1e1def42d14365acdde0fab027ab4f73.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	vxvvtaooidlk.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2912	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe
4080	vxvvtaooidlk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1576	VirusShare_1e1def42d14365acdde0fab027ab4f73.exe
Token: SeDebugPrivilege	4080	vxvvtaooidlk.exe
Token: SeIncreaseQuotaPrivilege	1792	WMIC.exe
Token: SeSecurityPrivilege	1792	WMIC.exe
Token: SeTakeOwnershipPrivilege	1792	WMIC.exe
Token: SeLoadDriverPrivilege	1792	WMIC.exe
Token: SeSystemProfilePrivilege	1792	WMIC.exe
Token: SeSystemtimePrivilege	1792	WMIC.exe
Token: SeProfSingleProcessPrivilege	1792	WMIC.exe
Token: SeIncBasePriorityPrivilege	1792	WMIC.exe
Token: SeCreatePagefilePrivilege	1792	WMIC.exe
Token: SeBackupPrivilege	1792	WMIC.exe
Token: SeRestorePrivilege	1792	WMIC.exe
Token: SeShutdownPrivilege	1792	WMIC.exe
Token: SeDebugPrivilege	1792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1792	WMIC.exe
Token: SeRemoteShutdownPrivilege	1792	WMIC.exe
Token: SeUndockPrivilege	1792	WMIC.exe
Token: SeManageVolumePrivilege	1792	WMIC.exe
Token: 33	1792	WMIC.exe
Token: 34	1792	WMIC.exe
Token: 35	1792	WMIC.exe
Token: 36	1792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1792	WMIC.exe
Token: SeSecurityPrivilege	1792	WMIC.exe
Token: SeTakeOwnershipPrivilege	1792	WMIC.exe
Token: SeLoadDriverPrivilege	1792	WMIC.exe
Token: SeSystemProfilePrivilege	1792	WMIC.exe
Token: SeSystemtimePrivilege	1792	WMIC.exe
Token: SeProfSingleProcessPrivilege	1792	WMIC.exe
Token: SeIncBasePriorityPrivilege	1792	WMIC.exe
Token: SeCreatePagefilePrivilege	1792	WMIC.exe
Token: SeBackupPrivilege	1792	WMIC.exe
Token: SeRestorePrivilege	1792	WMIC.exe
Token: SeShutdownPrivilege	1792	WMIC.exe
Token: SeDebugPrivilege	1792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1792	WMIC.exe
Token: SeRemoteShutdownPrivilege	1792	WMIC.exe
Token: SeUndockPrivilege	1792	WMIC.exe
Token: SeManageVolumePrivilege	1792	WMIC.exe
Token: 33	1792	WMIC.exe
Token: 34	1792	WMIC.exe
Token: 35	1792	WMIC.exe
Token: 36	1792	WMIC.exe
Token: SeBackupPrivilege	3524	vssvc.exe
Token: SeRestorePrivilege	3524	vssvc.exe
Token: SeAuditPrivilege	3524	vssvc.exe
Token: SeIncreaseQuotaPrivilege	440	WMIC.exe
Token: SeSecurityPrivilege	440	WMIC.exe
Token: SeTakeOwnershipPrivilege	440	WMIC.exe
Token: SeLoadDriverPrivilege	440	WMIC.exe
Token: SeSystemProfilePrivilege	440	WMIC.exe
Token: SeSystemtimePrivilege	440	WMIC.exe
Token: SeProfSingleProcessPrivilege	440	WMIC.exe
Token: SeIncBasePriorityPrivilege	440	WMIC.exe
Token: SeCreatePagefilePrivilege	440	WMIC.exe
Token: SeBackupPrivilege	440	WMIC.exe
Token: SeRestorePrivilege	440	WMIC.exe
Token: SeShutdownPrivilege	440	WMIC.exe
Token: SeDebugPrivilege	440	WMIC.exe
Token: SeSystemEnvironmentPrivilege	440	WMIC.exe
Token: SeRemoteShutdownPrivilege	440	WMIC.exe
Token: SeUndockPrivilege	440	WMIC.exe
Token: SeManageVolumePrivilege	440	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 4080	1576	VirusShare_1e1def42d14365acdde0fab027ab4f73.exe	82
PID 1576 wrote to memory of 4080	1576	VirusShare_1e1def42d14365acdde0fab027ab4f73.exe	82
PID 1576 wrote to memory of 4080	1576	VirusShare_1e1def42d14365acdde0fab027ab4f73.exe	82
PID 1576 wrote to memory of 5012	1576	VirusShare_1e1def42d14365acdde0fab027ab4f73.exe	83
PID 1576 wrote to memory of 5012	1576	VirusShare_1e1def42d14365acdde0fab027ab4f73.exe	83
PID 1576 wrote to memory of 5012	1576	VirusShare_1e1def42d14365acdde0fab027ab4f73.exe	83
PID 4080 wrote to memory of 1792	4080	vxvvtaooidlk.exe	85
PID 4080 wrote to memory of 1792	4080	vxvvtaooidlk.exe	85
PID 4080 wrote to memory of 2912	4080	vxvvtaooidlk.exe	98
PID 4080 wrote to memory of 2912	4080	vxvvtaooidlk.exe	98
PID 4080 wrote to memory of 2912	4080	vxvvtaooidlk.exe	98
PID 4080 wrote to memory of 4492	4080	vxvvtaooidlk.exe	99
PID 4080 wrote to memory of 4492	4080	vxvvtaooidlk.exe	99
PID 4492 wrote to memory of 1668	4492	msedge.exe	100
PID 4492 wrote to memory of 1668	4492	msedge.exe	100
PID 4080 wrote to memory of 440	4080	vxvvtaooidlk.exe	101
PID 4080 wrote to memory of 440	4080	vxvvtaooidlk.exe	101
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 528	4492	msedge.exe	103
PID 4492 wrote to memory of 1884	4492	msedge.exe	104
PID 4492 wrote to memory of 1884	4492	msedge.exe	104
PID 4492 wrote to memory of 2056	4492	msedge.exe	105
PID 4492 wrote to memory of 2056	4492	msedge.exe	105
PID 4492 wrote to memory of 2056	4492	msedge.exe	105
PID 4492 wrote to memory of 2056	4492	msedge.exe	105
PID 4492 wrote to memory of 2056	4492	msedge.exe	105

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vxvvtaooidlk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	vxvvtaooidlk.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_1e1def42d14365acdde0fab027ab4f73.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_1e1def42d14365acdde0fab027ab4f73.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\vxvvtaooidlk.exe
  C:\Windows\vxvvtaooidlk.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4080
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd5b0346f8,0x7ffd5b034708,0x7ffd5b034718
      4⤵
      PID:1668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,7726975445151716416,17735865371885224637,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
      4⤵
      PID:528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,7726975445151716416,17735865371885224637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
      4⤵
      PID:1884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,7726975445151716416,17735865371885224637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
      4⤵
      PID:2056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7726975445151716416,17735865371885224637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
      4⤵
      PID:468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7726975445151716416,17735865371885224637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
      4⤵
      PID:1528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,7726975445151716416,17735865371885224637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
      4⤵
      PID:1068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,7726975445151716416,17735865371885224637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
      4⤵
      PID:3148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7726975445151716416,17735865371885224637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
      4⤵
      PID:2032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7726975445151716416,17735865371885224637,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
      4⤵
      PID:1112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7726975445151716416,17735865371885224637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
      4⤵
      PID:3832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7726975445151716416,17735865371885224637,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
      4⤵
      PID:4408
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\VXVVTA~1.EXE
    3⤵
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  PID:5012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+cusro.html

Filesize
12KB

MD5
8d2c3dc0e44bf6d757d4ca7ee217deaf

SHA1
509cbd2c61754c54834cdd254bd3dd751a68746f

SHA256
b2aa9a9ad6201bd0f9b5c3b60f9e184d7ac57a88ecfd2790959f52161b37a8db

SHA512
d61ef4cf33395a8b0fac9a097f03f4ebc2bbdfd604f9ce5570fc1995c8ae21fa28d7aea19020dccd56eeffcb8f43bec714a436b86cc24d42a6783e4fd51da89b

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+cusro.png

Filesize
64KB

MD5
946f8f0a372ff716b5d5aa0b09f87d2e

SHA1
da325cf676b5271dada303219be0b4cd6c90985b

SHA256
7b49115ab9d269243b469dd72df6b4492c48e950f91a27417c010ee2427fed83

SHA512
0217a95b6e35fd453217f0e4eecf8d92a6d77db9209ba9bd0a7f838ce2be897fbc95ebe5357665a86ef1e855db016e386059c840ecb07f8ddbc7e0e6d21f906c

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+cusro.txt

Filesize
1KB

MD5
e13a532dc430cb58db779d083f812b7d

SHA1
74d0293147a5c6b914901fb17868527500417256

SHA256
88b7d42fa9cb5c080645c3932c599166c3f52c44c15deb7e3c13997a5fad3990

SHA512
9333c07649a8c42c116c9b1354d3502d5f00476c6a39551f53233535221be427ae374fa77f11994579036c860e04e59d6fd7a755c6c4e3e78b2a6bb3de2caec4

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
1078f4dcc3e58e362ff16c8b5c76de32

SHA1
9afea314cd1cb4ef3270ec81e9626630d2d1e471

SHA256
66dfc6b3f9c09ad3438a5be5d1533b8dec8ecb19801dc460048d652066b0fc4d

SHA512
f9320b71951a038b312ed03590ebf1cd6400e90e35c80c5d4345235afb3a396f0455543295e65cbebb556b9f1859a6e6fd2f37747693d333a322054a684b2516

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
dc75c5206ddc9665984f422d5e43ff76

SHA1
c46d894caeac18fa35c6c61a69204a3533c425af

SHA256
8c874cc9822fdec05a1c4d3d9743421fb0856b1505df8561a896da11c23622e0

SHA512
c9a6eaa2e2b199ca58bf00721f98f3a7393cce8b5955087d6401f8470174b18ab22ddd251cd6bfbec213b62da471a206f67752f33e240da89048f8441c070891

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
9962c57a3ee052104a1e4913ccf8047a

SHA1
8e324d34e0bfa5a473af1f15292f43bce5beba79

SHA256
2a6adb240a0daa1e011193d6bcb28e98017f7057754412c355e350e2fd06bf30

SHA512
e11891fdf1ea3fcc283b43b4fcc32a93a91472602caf7891372b175c3fad1fd19420e4f9af4fa23a4e4c9964dd6a923e4652efdb4badc5e0dc7dd008fa816892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b3843bf470ae524d85327570b161e7ff

SHA1
28265ec0d80f24a6b37eb7d6e3c47c921ed741d7

SHA256
c54c42bf94c5d305b110ebafee2f46e95bc606ad4031696efe1a8ecbd97d5043

SHA512
978bfc6e49564bc888fc4f67cf69a76198ebc0a194c81d3b386299f11a1a91da35c0b89729e62a5bdc4212af483ca33ff658066baf2ac4b61569e37417d380a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
47564cedc3de9ad80a19647285854cd6

SHA1
34f5ce591a3cc99ee31e887f49030f5ece97faca

SHA256
221c9170261e9b91f4e33626f105e6199528c0b7159929521b5411006b0797eb

SHA512
0489f49c599d7628ad8f4c1111dcd87d15546ca35dd8b7d5879f4f8943dfd8b00529e0db1dd0b36f0152fc55665394c46789c674bbe7bd3efb017bc6b2cc6c87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
660d17eb32157a4cbba3be482c130654

SHA1
e6c7389caa8c6959e3bf85a60176f39252181aea

SHA256
7ddbb8678b6f36c8ec0ea347a233fc81f541e66bb2103444ab91cc96cd480e8b

SHA512
699e9f0d64af46b9be595fb6ce33e046fd2ead6911fd6d5d89acacd952efb247753c85a4da3f996bc4367ea503c5dc99531d2d0d19e0ace0286958eb22c5a87f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596440369039129.txt

Filesize
47KB

MD5
aa6eeb604e58f287f9e8e2ba437d8014

SHA1
f9d8e12e9b1062858ff85f32e32ce8123420e494

SHA256
5b1ca50c4236a78e09d2ee338bf38e227feb0ec5d15bf7bcdae818e4cfc600eb

SHA512
8f7c0eb347c76e762b16b694aae7b46ba3d4e0d1163cbc4aac938292b1289d0d2d9e678fd68d4600fdea29b39ce3adf2a4b1e7d4be5b5abd765851744af4331c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449026566195.txt

Filesize
75KB

MD5
e5f935f2b18829ab37167e237f765d2b

SHA1
b9b8db185ae30647ca729708de9a4d3b57317d0f

SHA256
41a2f47658f1f745089b3f55469a399238af0d38ce8b099a8174b77769c10daa

SHA512
f9c7acc1781a833a18c85ca67ae59b6bb2db774af7a53a7231864dfda2fed57b3ed1079004409e2f5f33c11dcf0e7226d5327966be1de46e3ffd2af41eb88ee1

Download Submit
C:\Windows\vxvvtaooidlk.exe

Filesize
352KB

MD5
1e1def42d14365acdde0fab027ab4f73

SHA1
076c52faa6c76610fca15b8533e81bf8ba8133a8

SHA256
92b375015b3867f10a9cd94b6474986bf24c70e2d40b3280ceeec2331265be23

SHA512
c93298bc25a818114018cb51a3b0e4c3137b46633dabb6a17303f12473e58d64e19c39c14f307c0df9e0e4202171d2ab22eaef2bf3f7b35e5b9b7a114eb7d722

Download Submit
memory/1576-0-0x0000000002170000-0x00000000021F6000-memory.dmp

Filesize
536KB

Download
memory/1576-1-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1576-10-0x0000000002170000-0x00000000021F6000-memory.dmp

Filesize
536KB

Download
memory/1576-9-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4080-8600-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4080-10368-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4080-14-0x0000000002140000-0x00000000021C6000-memory.dmp

Filesize
536KB

Download
memory/4080-5226-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4080-2484-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4080-10412-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download